Privacy Policy
Last updated: July 18, 2026
1. The short version
We collect the minimum needed to run the game: an email address, a username, a securely hashed password, and your game progress. Payments are handled by Stripe (and potentially PayPal) — we never see or store your card details. We don't run ads, we don't use third-party analytics or tracking, and we never sell your data. Full details below.
Data controller: the independent operator of Allure of Kingdoms: Ancient Past ("we"), reachable at support@allureofthepast.com.
2. What we collect
- Account data: username, email address, and your password stored as a one-way bcrypt hash (we cannot read your password).
- Game data: your progress — gold, rank, level, buildings, servants, achievements, action history, and custom text you enter (titles, goat names).
- Purchase records: if you buy Allure Points, we store the package, amount, currency, date, the payment provider's transaction ID, and an AP ledger entry. We never receive or store card numbers — payment details go directly to the payment provider on their own secure pages.
- Technical data: a session cookie, and standard web-server logs kept by our hosting provider (IP address, browser type, pages requested) used for security and debugging.
- Support email: if you email us, we keep the correspondence.
What we deliberately do not collect: card numbers, real names (unless you email us), addresses, phone numbers, advertising identifiers, or any tracking beyond the single cookie needed to keep you logged in.
3. How we use your data
- To operate the game: log you in, save progress, show leaderboards (username, title, rank, level, and prestige are visible to other players; your email never is).
- To process and deliver purchases and maintain accurate financial records.
- To prevent cheating, fraud, and abuse (e.g. rate limits, action logs, chargeback flags).
- To answer support requests.
- To meet legal obligations (tax and accounting records for purchases).
Legal bases where GDPR or similar laws apply: performance of our contract with you (running the game and delivering purchases), our legitimate interests (security and fraud prevention), and legal obligation (financial records). We do not use your data for marketing.
4. Cookies
We use exactly one cookie: a session cookie named akap that keeps you logged in.
It is essential to the service, contains only a random session identifier, and is not used
for tracking or advertising. No consent banner is required for strictly necessary cookies —
which is the only kind we use.
5. Who we share data with
- Payment providers (Stripe; potentially PayPal): they process your payment and share with us only the transaction outcome and ID. Their privacy policies apply to the payment.
- Hosting provider (Namecheap, Inc., servers in the United States): our database and web server run on their infrastructure.
- Authorities, only if legally required.
That's the whole list. We never sell, rent, or trade personal data, and there are no advertising or analytics partners.
6. Where your data lives & international transfers
Game data is stored on servers in the United States operated by our hosting provider. If you play from outside the US, your data is transferred there; we rely on our providers' standard safeguards for such transfers.
7. How long we keep it
- Account and game data: for as long as your account exists.
- Detailed action logs: pruned after about 30 days.
- Purchase and AP ledger records: kept up to 7 years after the transaction, as required for accounting, tax, and fraud-prevention purposes — even if the account is deleted.
- Server logs: per our hosting provider's standard rotation.
8. Your rights
Email support@allureofthepast.com from your account's email address to:
- Access / export a copy of the personal data we hold about you;
- Correct your email address or other details;
- Delete your account and personal data. We will remove your account, game data, and presence from leaderboards within 30 days, keeping only the purchase records the law requires us to keep (with the account link minimised);
- Object or complain — you can also lodge a complaint with your local data protection authority.
We will respond within 30 days.
9. Children
The game is not intended for children under 13, and we do not knowingly collect data from them. If you believe a child under 13 has created an account, email us and we will delete it. Players under the age of majority need a parent or guardian's consent to play and to make purchases.
10. Security
All traffic is encrypted with HTTPS/TLS. Passwords are stored only as bcrypt hashes. Database access uses parameterised queries. Payment card data never touches our servers. AP balances are maintained in an append-only ledger for auditability. No system is perfectly secure, but we deliberately minimise what we hold — the less we store, the less there is to lose.
11. Changes to this policy
If we change this policy, the "Last updated" date will change and material changes will be announced on the website before they take effect.
12. Contact
Privacy questions and requests: support@allureofthepast.com